Sponsored by..

Thursday 22 October 2015

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk" (again)

This fake invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment. It is very similar to this spam sent a few days ago.

From     "UUSCOTLAND" [UUSCOTLAND@uuplc.co.uk]
Date     Thu, 22 Oct 2015 19:30:13 +0700
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.

Kind regards


Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)

EMGateway3.uuplc.co.uk made the following annotations
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

So far I have seen three different versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing one of these malicious macros [1] [2] [3].

Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates.

This VirusTotal report also identifies the following download locations:


This file has a VirusTotal detection rate of 2/54 and that report indicates network traffic to: (Linode, US)

Further analysis is pending, in the meantime I suggest that you block traffic to the above IP.



AnthonyG said...

I love it when they start "I hope you are well". Have none of these people ever seen a real business communication?

scratchal said...

Good point, but best not to put that out there.